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Introduction 


The Information Commissioner is seeking feedback on her draft code of 
practice Age appropriate design - a code of practice for online services 
likely to be accessed by children (the code). 


The code will provide guidance on the design standards that the 
Commissioner will expect providers of online ‘Information Society 
Services’ (ISS), which process personal data and are likely to be accessed 
by children, to meet. 


The code is now out for public consultation and will remain open until 31 
May 2019. The Information Commissioner welcomes feedback on the 
specific questions set out below. 


Please send us your comments by 31 May 2019. 


Download this document and email to: 


ageappropriatedesign@ico.org.uk 


Print off this document and post to: 
Age Appropriate Design code consultation 
Policy Engagement Department 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation please telephone 
0303 123 1113 and ask to speak to the Policy Engagement 
Department about the Age Appropriate Design code or email 


ageappropriatedesign@ico.org.uk 


Privacy statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
capacity (e.g. a member of the public or a parent). All responses from 
organisations and individuals responding in a professional capacity (e.g. 
academics, child development experts, sole traders, child minders, 
education professionals) will be published. We will remove email 
addresses and telephone numbers from these responses but apart from 
this, we will publish them in full. 


For more information about what we do with personal data, please see 
our privacy notice. 


Section 1: Your views 


LGfL (The London Grid for Learning) is a community of schools and local 
authorities committed to using technology to enhance teaching & learning. 
We support and welcome the proposals outlined in the Age Appropriate 
Design Code, and hope that the comments and recommendations set out 
below will serve to enhance and strengthen the code before it is published. 


Q1. Is the ‘About this code’ section of the code clearly communicated? 


YES 


Q2. Is the ‘Services covered by this code’ section of the code clearly 
communicated? 


YES 


The code applies to services that aren’t specifically aimed or targeted at 
children, but are nonetheless likely to be used by under 18s. Therefore 
clarity would be useful around how this judgement will be made, e.g. 
e any steps taken in the service’s DPIA 
e evidence/numbers of young people using the service or similar 
services 
e measures in place to prevent young people from accessing the 
service 


Standards of age-appropriate design 


Please provide your views on the sections of the code covering each of 
the 16 draft standards 


1. Best interests of the child: The best interests of the child should be 
a primary consideration when you design and develop online services 
likely to be accessed by a child. 


2. Age-appropriate application: Consider the age range of your 
audience and the needs of children of different ages. Apply the standards 
in this code to all users, unless you have robust age-verification 
mechanisms to distinguish adults from children. 


3. Transparency: The privacy information you provide to users, and 
other published terms, policies and community standards, must be 
concise, prominent and in clear language suited to the age of the child. 
Provide additional specific ‘bite-sized’ explanations about how you use 
personal data at the point that use is activated. 


4. Detrimental use of data: Do not use children’s personal data in ways 
that have been shown to be detrimental to their wellbeing, or that go 
against industry codes of practice, other regulatory provisions or 
Government advice. 


5. Policies and community standards: Uphold your own published 
terms, policies and community standards (including but not limited to 
privacy policies, age restriction, behaviour rules and content policies). 


6. Default settings: Settings must be ‘high privacy’ by default (unless 
you can demonstrate a compelling reason for a different default setting, 
taking account of the best interests of the child). 


7. Data minimisation: Collect and retain only the minimum amount of 
personal data necessary to provide the elements of your service in which 
a child is actively and knowingly engaged. Give children separate choices 
over which elements they wish to activate. 


8. Data sharing: Do not disclose children’s data unless you can 
demonstrate a compelling reason to do so, taking account of the best 
interests of the child. 


9. Geolocation: Switch geolocation options off by default (unless you can 
demonstrate a compelling reason for geolocation, taking account of the 
best interests of the child), and provide an obvious sign for children when 
location tracking is active. Options which make a child’s location visible to 
others must default back to off at the end of each session. 


10. Parental controls: If you provide parental controls give the child 
age appropriate information about this. If your online service allows a 


parent or carer to monitor their child’s online activity or track their 
location, provide an obvious sign to the child when they are being 
monitored. 


11. Profiling: Switch options based on profiling off by default (unless you 
can demonstrate a compelling reason for profiling, taking account of the 
best interests of the child). Only allow profiling if you have appropriate 
measures in place to protect the child from any harmful effects (in 
particular, being fed content that is detrimental to their health or 
wellbeing). 


12. Nudge techniques: Do not use nudge techniques to lead or 
encourage children to provide unnecessary personal data, weaken or turn 
off privacy protections, or extend use. 


13. Connected toys and devices: If you provide a connected toy or 
device ensure you include effective tools to enable compliance with this 
code 


14. Online tools: Provide prominent and accessible tools to help children 
exercise their data protection rights and report concerns. 


15. Data protection impact assessments: Undertake a DPIA 
specifically to assess and mitigate risks to children who are likely to 
access your service, taking into account differing ages, capacities and 
development needs. Ensure that your DPIA builds in compliance with this 
code. 


16. Governance and accountability: Ensure you have policies and 
procedures in place which demonstrate how you comply with data 
protection obligations, including data protection training for all staff 
involved in the design and development of online services likely to be 
accessed by children. Ensure that your policies, procedures and terms of 
service demonstrate compliance with the provisions of this code 


Q3. Have we communicated our expectations for this standard clearly? 
1. Best interests of the child 


YES 


2. Age-appropriate application 
YES 
3. Transparency 


NO - it would be useful for services to consider children with specific 
needs, e.g visual impaired or SEND when developing different levels of 
information explaining their terms. 


4. Detrimental use of data 
YES 

5. Policies and community standards 
YES 

6. Default settings 

YES 

7. Data minimisation 

YES 

8. Data sharing 

YES 

9. Geolocation 

YES 

10. Parental controls 


YES - it would be useful however to point out that data used for providing 
a parental monitoring service should not be used for any other purposes, 
and that this provision is not a substitute for compliance with the code. 


11. Profiling 


NO - It would be useful to reference or give guidance specific to 
curriculum tracking software necessary in schools (e.g. a Maths tracker 
which requires lots of information). 


12. Nudge techniques 

YES 

13. Connected toys and devices 

YES 

14. Online tools 

YES 

15. Data protection impact assessments 
YES 

16. Governance and accountability 


YES 


Q4. Do you have any examples that you think could be used to illustrate 
the approach we are advocating for this standard? 


NO - We feel that all the themes below are already well exemplified in the 
document. 


1. Best interests of the child 
NO 

2. Age-appropriate application 
NO 

3. Transparency 


NO 


4. Detrimental use of data 


NO 


5. Policies and community standards 
NO 

6. Default settings: 
NO 

7. Data minimisation 
NO 

8. Data sharing 

NO 

9. Geolocation 

NO 

10. Parental controls 
NO 

11. Profiling 

NO 

12. Nudge techniques 


NO 


13. Connected toys and devices 


NO 


14. Online tools 


NO 


15. Data protection impact assessments 
NO 
16. Governance and accountability 


NO 


Q5. Do you think this standard gives rise to any unwarranted or 
unintended consequences? 


1. Best interests of the child 
NO 

2. Age-appropriate application 
NO 


3. Transparency 

NO 

4. Detrimental use of data 
NO 

5. Policies and community standards 
NO 

6. Default settings 

NO 

7. Data minimisation 

NO 

8. Data sharing 

NO 

9. Geolocation 

NO 

10. Parental controls 

NO 

11. Profiling 


NO 


12. Nudge techniques 


NO 


13. Connected toys and devices 


NO 


14. Online tools 


NO 


15. Data protection impact assessments 


NO 


16. Governance and accountability 


NO 


Q6. Do you envisage any feasibility challenges to online services 
delivering this standard? 


XYES - we have identified the following which apply to all the below 16 
points: 


Third-party organisations - the supply chain will make it hard to 
enforce, e.g. when a product is bundled with misleading, unclear or 
or unhelpful information by the said third party. For example, there 
have been instances of games consoles being sold in shops and 
packaged with a paper flyer for Fortnite - where the console is for 
young children, this is very unhelpful. 


Schools, parents and facilitators of technology for children 
may accidentally or otherwise bypass conditions - both parties 
will need support or guidance (e.g. from DfE). 


Age-appropriate marketing - whilst it may not fall within the 
scope of this code, it may nevertheless undermine the code, e.g. 
clothing made for very small children with Fortnite or Playboy 
branding on it will undermine the age-verification process by 
subconsciously passing the message that under-age use is allowed. 


1. Best interests of the child 


* As above 


2. Age-appropriate application 


* As above 


3. Transparency 


* As above 


4. Detrimental use of data 


* As above 


5. Policies and community standards 


* As above 


6. Default settings 


* As above 


7. Data minimisation 


* As above 


8. Data sharing 


* As above 


9. Geolocation 


* As above 
10. Parental controls 


* As above 


11. Profiling 


* As above 


12. Nudge techniques 


* As above 


13. Connected toys and devices 


* As above 


14. Online tools 


* As above 


15. Data protection impact assessments 


* As above 


16. Governance and accountability 


* As above 


Q7. Do you think this standard requires a transition period of any longer 
than 3 months after the code come into force? 


e Time frame - we believe that the three month period is very short, 
and if it includes a school-holiday period, the 3 months are further 
curtailed. For a school to check on software it is using, the time 
period is therefore very short. 


1. Best interests of the child 


See above 
2. Age-appropriate application 
See above 


3. Transparency 


See above 


4. Detrimental use of data 

See above 

5. Policies and community standards 
See above 

6. Default settings 

See above 

7. Data minimisation 

See above 

8. Data sharing 


See above 


9. Geolocation 
See above 
10. Parental controls 


Many parental controls in existing products or ecosystems are clearly 
rushed and not well thought out. A short period of time to develop these 
might give companies an excuse to not carry out extensive UX testing. 


11. Profiling 

See above 

12. Nudge techniques 

See above 

13. Connected toys and devices 
See above 

14. Online tools 

See above 


15. Data protection impact assessments 


See above 


16. Governance and accountability 


See above 
Q8. Do you know of any online resources that you think could be usefully 
linked to from this section of the code? 


For all the below, the 5 rights code is also useful to consider. 


1. Best interests of the child 
NO 

2. Age-appropriate application 
NO 

3. Transparency 

NO 

4. Detrimental use of data 

NO 

5. Policies and community standards 
NO 

6. Default settings 

NO 

7. Data minimisation 

NO 

8. Data sharing 

NO 

9. Geolocation 

NO 


10. Parental controls 


NO 


11. Profiling 

NO 

12. Nudge techniques 

NO 

13. Connected toys and devices 

NO 

14. Online tools 

NO 

15. Data protection impact assessments 
NO 

16. Governance and accountability 


NO 


Q9. Is the ‘Enforcement of this code’ section clearly communicated? 


YES 


Q10. Is the ‘Glossary’ section of the code clearly communicated? 


YES - this is short and succinct 


Q11. Are there any key terms missing from the ‘Glossary’ section? 


NO 


Q12. Is the ‘Annex A: Age and developmental stages’ section of the 
code clearly communicated? 


YES 


Q13. Is there any information you think needs to be changed in the 
‘Annex A: Age and developmental stages’ section of the code? 


NO 


Q14. Do you know of any online resources that you think could be 
usefully linked to from the ‘Annex A: Age and developmental 
stages’ section of the code? 


YES 


e Hopes & Streams - LGfL’s Online Safety Survey of 40,000 UK pupils, 
providing an insight into their online lives and experiences: 
https://www.lgfl.net/online-safety/hopesandstreams 

e Jessie & Friends (4-7 year olds): 
https://www.thinkuknow.co.uk/parents/jessie-and-friends-videos/ 

e RSPH #NewFilters - Report from the All Party Parliamentary Group on Social 
Media and Young People’s Mental Health and Wellbeing Inquiry: “Managing the 
Impact of Social Media on Young People’s Mental Health and Wellbeing’: 
https://www.rsph.org.uk/our-work/policy/wellbeing/new-filters.html 


Q15. Is the ‘Annex B: Lawful basis for processing’ section of the 
code communicated? 


YES - but: 


e With the caveat that the language used in Annex B, compared to that 
in Annexes A and C respectively, is much more technical, legal, and 
sophisticated and therefore perhaps harder to understand for a more 
casual reader/smaller app developer 

e bearin mind that many apps are designed by children/young 
people, who might also find the language and terminology difficult to 
understand 


Q16. Is this ‘Annex C: Data Protection Impact Assessments’ 
section of the code clearly communicated? 


YES 


Q17. Do you think any issues raised by the code would benefit from 
further (post publication) work, research or innovation? 


YES, for the following areas: 


e Enforcement - "strong” examples of ICO punitive actions against 
organisations that have breached data protection standards relating to 
children and young people - perhaps a link to ICO cases? 

e Impact - research will be needed to demonstrate the impact of the 
code and that change has occurred 

e Compliance - schools, parents and others will want an easy way to 
check if a product meets the terms of the code, especially for legacy 
products 


Additionally, a strong marketing campaign will be required to increase 
awareness of the code - this will also help with reporting and enforcement. 


`` Section 2: About you 


Are you: 


A body representing the views or interests of children? 
Please specify: 
LGfL (The London Grid for Learning) is a community of schools 


and local authorities committed to using technology to enhance 
teaching & learning 


A body representing the views or interests of parents? 


Please specify: C] 


A child development expert? 


Please specify: C] 


An Academic? 


Please specify: 


An individual acting in another professional capacity? 


Please specify: 


A provider of an ISS likely to be accessed by children? 
Please specify: 
LGfL (The London Grid for Learning) is a community of schools 


and local authorities committed to using technology to enhance 
teaching & learning 


A trade association representing ISS providers? 


Please specify: 


An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the 
public or a parent)? 


An ICO employee? 


Other? 
Please specify: 
LGfL (The London Grid for Learning) is a community of schools 


and local authorities committed to using technology to enhance 
teaching & learning 


Thank you for responding to this consultation. 


We value your input. 


